Testing for errant network connections

We kept breaking our XML catalog resolution[2] in the course of developing an application. We would refactor the parser code, or we would upgrade a schema and forget to upgrade the catalog. The application wouldn't break, but it took longer to run since resources were being retrieved over the network rather than using the local catalog. Because we didn't time our test runs, and because we had lots of non-network dependent tests in the suite, this regression would go unnoticed for a while. When it was noticed we'd fix the symptom, then move on. Until it happened again...

After the sixth or so occurrence in few years, I wrote a class to detect the problem. It's a simple implementation of SecurityManager[3] that throws an exception when an attempt is made to connect to a site that is not on the list of approved hosts. The code appears below.

To use it we set the -Djava.security.manager command line argument (to the fully-qualified classname of RestrictedNetworkAccessSecurityManager) when running our test suites. Tests that access hosts that we aren't expecting will then fail with an error.

It's not just for applications that use XML catalogs. It's useful for almost any code, as a way to audit - and regression test - the network resources your application depends on. (Like a database you thought wasn't being used any more.) It's also a simple way to discover when third-party libraries connect to the internet unannounced.

The code is rough and ready - it's good enough for testing, but not really suitable for anything else, since it is totally permissive except for the checks on outbound connections. Feel free to use it, and suggest improvements or ways you've tackled the same problem in the comments section.